US Government Warns of Hidden Cobra North Korea Cyber Threat

A Department of Homeland Security (DHS) Alert released on Tuesday warns the public about a campaign of hacking by the government of North Korea it has code-named “Hidden Cobra.”

DHS joined the FBI for a joint Technical Alert about the campaign and its use of a piece of malicious software dubbed FallChill, a remote access trojan (RAT) that obscures so-called “command and control” communications between North Korean hackers and compromised systems on sensitive networks.

There are warnings from the DHS and FBI about a North Korean cyber operation dubbed Hidden Cobra.

The joint Technical Analysis released by FBI and DHS cites “trusted third-party reporting” to warn that North Korean actors that are part of the Hidden Cobra operation have been using FallChill malware since 2016 to target the aerospace, telecommunications, and finance industries.

A RAT with many tricks

FallChill is described as “a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies.” The RAT is installed (or “dropped”) by other malware associated with the Hidden Cobra operation or as a result of “drive by downloads” from malicious websites controlled by the attackers.

US Government analysts have identified 83 network nodes associated with the FallChill malware. But DHS warned that the command and control (C2) infrastructure of FallChill relies on multiple proxies to obfuscate network traffic between North Korean hackers and victim system.

The presence of FallChill malware on a system could indicate that other malicious software associated with Hidden Cobra is also present, DHS and FBI warned.

The consequences of a compromise are severe. They include the temporary or permanent loss of sensitive or proprietary information, disruptions caused by destructive malware and the subsequent financial and reputation costs, the Alert warns.

Researchers at the firm CrowdStrike have also seen an uptick in attacks against defense industrial base, aerospace and financial firms in recent months, Adam Meyers, the Vice President of Intelligence at the firm CrowdStrike.

Meyers told The Security Ledger that his company has seen a shift in recent years from a near exclusive focus on main rival South Korea to campaigns with targets outside of the Korean peninsula.

The danger for targeted firms is considerable, Meyers said. “We’re not sure what their intentions are. We haven’t been able to observe enough of what they’re going after to understand whether this is espionage or whether they’re laying the groundwork for a destructive attack,” he said.

There may not be much difference. “Historically, those two types of campaigns start off as the same thing,” Meyers said.

Recent incidents like the WannaCry attack suggest that disruption is one goal of the North Korean cyber offensive units.

“Companies have to maintain extreme vigilance,” Meyers said. “They need to understand where on their infrastructure (North Korea) is and what they’ve done.”

Author: PaulI'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."